RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1417766 - ipa-replica-install fails on CA import "java.lang.Exception: Certificate caSigningCert cert-pki-ca is invalid: Invalid certificate: (-8179) Peer's Certificate issuer is not recognized"
Summary: ipa-replica-install fails on CA import "java.lang.Exception: Certificate caSi...
Keywords:
Status: CLOSED INSUFFICIENT_DATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: pki-core
Version: 8.3
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: rc
: ---
Assignee: Fraser Tweedale
QA Contact: Asha Akkiangady
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-01-30 22:25 UTC by Amy Farley
Modified: 2020-10-04 21:22 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-02-26 13:27:27 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github dogtagpki pki issues 2707 0 None open Preserving subject DN encoding during renewal 2021-02-03 19:44:25 UTC

Description Amy Farley 2017-01-30 22:25:08 UTC 
Description of problem:

After having a cert renewal failure on 7.2 master (due to loss of tracking on all certs), this replica was promoted and then used to renew its own certs.

It has been failing to install replicas, with issues stemming from what seems to be an extra ldap certificate?

Version-Release number of selected component (if applicable):

ipa-server-dns-4.4.0-14.el7_3.4.noarch
ipa-server-common-4.4.0-14.el7_3.4.noarch
ipa-common-4.4.0-14.el7_3.4.noarch
ipa-client-common-4.4.0-14.el7_3.4.noarch
sssd-ipa-1.14.0-43.el7_3.11.x86_64
ipa-admintools-4.4.0-14.el7_3.4.noarch
ipa-client-4.4.0-14.el7_3.4.x86_64
ipa-server-4.4.0-14.el7_3.4.x86_64

# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.2 (Maipo)
-- This was updated to latest IPA packages, but it did not update the base RHEL as part of the yum update ipa-server
Comment 22 Endi Sukma Dewata 2017-02-07 16:07:53 UTC 
https://fedorahosted.org/pki/ticket/2587
Comment 23 Francesco Giannoccaro 2017-02-08 18:45:51 UTC 
Thanks for the clarification about the change on the DN encoding.

From our prospective the troubleshooting process we went through in the last few weeks made clear that taking the faulty IPA systems to a stable and reliable status is very difficult if even not possible at all.
 
We have decided to perform an installation from scratch of a new IPA environment to reduce the risk in future of having same issue or other related issues. 

A short summary of the step we are currently following is:

1. perform a fresh install of IdM/IPA, and instead of setting the Winsync using Trust configuration 

2. create new domain as a subdomain of our corporate Windows AD (unix.phe.gov.uk)

3. sign the IdM/IPA root CA cert with the PHE AD root CA cert, so that clients can have a valid trust path for IdM/IPA issues certs

4. create a one way trust from the IdM/IPA to the PHE AD so that existing AD users can authenticate to IDM

5. run both IPA systems in parallel (the faulty and new one) and migrate things over in a controlled manor

Once we'll complete all the above step and all clients will be successfully migrated to the new IPA, we are keen to help - if you think it could be any how useful to resolve this bug - with performing further tests or apply patch to our faulty IPA system to test possible solution (maybe useful for other users).
Comment 24 Marc Sauton 2017-02-10 23:18:47 UTC 
for the workaround the the CA's CS.cfg, note the order may be important:
X500Name.directoryStringEncodingOrder=UTF8String,PrintableString,T61String,BMPString,UniversalString
versus
X500Name.directoryStringEncodingOrder=PrintableString,UTF8String,T61String,BMPString,UniversalString
may not have the same effect
Comment 25 Petr Vobornik 2017-02-17 16:55:55 UTC 
*** Bug 1415852 has been marked as a duplicate of this bug. ***
Comment 26 Matthew Harmsen 2017-10-25 21:13:49 UTC 
[20171025] - RHEL 7.5 pre-Alpha Offline Triage ==> 7.6
Comment 27 Matthew Harmsen 2018-04-27 01:30:02 UTC 
Per RHEL 7.5.z/7.6/8.0 Triage:  7.6

alee: looks like it was tied to a customer case.  Need to confirm if this case is active.
Note You need to log in before you can comment on or make changes to this bug.